EP3271885B1 - Vérification de transaction de dispositifs multiples - Google Patents

Vérification de transaction de dispositifs multiples Download PDF

Info

Publication number
EP3271885B1
EP3271885B1 EP16765725.3A EP16765725A EP3271885B1 EP 3271885 B1 EP3271885 B1 EP 3271885B1 EP 16765725 A EP16765725 A EP 16765725A EP 3271885 B1 EP3271885 B1 EP 3271885B1
Authority
EP
European Patent Office
Prior art keywords
transaction
portable
portable communication
time
communication device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP16765725.3A
Other languages
German (de)
English (en)
Other versions
EP3271885A4 (fr
EP3271885A1 (fr
Inventor
Kim Wagner
John Sheets
Mark Nelsen
Jing Jin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Visa International Service Association
Original Assignee
Visa International Service Association
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Visa International Service Association filed Critical Visa International Service Association
Publication of EP3271885A1 publication Critical patent/EP3271885A1/fr
Publication of EP3271885A4 publication Critical patent/EP3271885A4/fr
Application granted granted Critical
Publication of EP3271885B1 publication Critical patent/EP3271885B1/fr
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3224Transactions dependent on location of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4016Transaction verification involving fraud or risk level assessment in transaction processing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol

Definitions

  • Electronic access transactions are susceptible to fraud.
  • a credit card can be stolen or fabricated, and used in a fraudulent card-present transaction at a merchant even though the true owner of the card is not present at the merchant.
  • a person's access badge may be stolen and an unauthorized person may attempt to enter a location where they would not be otherwise authorized to enter.
  • US 2011/047075 A1 discloses location controls on payment card transactions.
  • US 2015/046330 A1 discloses a transaction processing system and method.
  • US 2013/268378 A1 discloses a method and apparatus for performing transaction validation between a mobile communication device and a terminal using location data.
  • Embodiments of the invention address this and other problems, individually and collectively.
  • a method as defined in appended claim 1.
  • a server computer as defined in appended claim 6.
  • Embodiments of the invention are directed to systems and methods for ensuing that transactions are conducted by authorized users.
  • One embodiment of the invention is directed to a method.
  • the method comprises receiving, by a server computer, device information and a resource provider identifier from a portable communication device of a user, wherein the resource provider identifier was received by the portable communication device from a base station at a resource provider identified by the resource provider identifier; receiving, by the server computer and from an access device in a transaction, an authorization request message comprising a credential or a token, after a portable transaction device provides the credential or token to the access device; and analyzing, by the server computer, the authorization request message to determine that the user of the portable communicate device is also using the portable transaction device to conduct the transaction at the access device.
  • Another embodiment of the invention is directed to a method comprising: receiving, by a server computer, device information and a resource provider identifier from a portable communication device of a user, wherein the resource provider identifier was received by the portable communication device from a base station at a resource provider identified by the resource provider identifier; determining a credential or a token from the device information; and transmitting the credential or the token, and a first biometric template to the portable communication device, wherein the portable communication device transmits the biometric template to the base station, wherein the base station receives a second biometric template from a biometric acquisition device that generates the second biometric template after receiving a biometric from a user, and compares the first and second biometric templates to determine if the user is authentic.
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present invention.
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present invention.
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present invention.
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present invention.
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present inventions.
  • Embodiments of the present invention provide techniques for verifying a transaction based upon the presence of a user's portable communication device being at a location such as a merchant location.
  • a location such as a merchant location.
  • the portable communication device when a user enters a merchant store with a portable communication device, the portable communication device provides an indication to a transaction processing system that the portable communication device is currently at the merchant location.
  • a portable transaction device which may be separate and different from the portable communication device
  • the fact that the user's portable communication device had been detected at the merchant store a short time ago is taken into account as a positive indicator that the transaction is not fraudulent.
  • Embodiments of the invention can verify that both the portable communication device and the portable transaction device are present at the merchant before transactions can be authorized, thereby reducing the risk that fraudulent transactions can be conducted.
  • a process for verifying a transaction may include receiving device information from a portable communication device, and receiving an authorization request message from an access device to conduct a transaction.
  • the authorization request message may include account credentials read from a portable transaction device and a merchant identifier associated with a merchant.
  • the process may determine if the portable communication device is at the same merchant as the portable transaction device, and may include verifying the transaction.
  • Other embodiments of the invention relate to the use of biometric templates in authenticating access transactions such as payment transactions.
  • embodiments of the invention can apply to other types of transactions including physical location access transactions (e.g., a transaction in which a user may wish to entire a venue such as a train terminal) and data request access transactions (e.g., a transaction in which a user may wish to access information about their plane flight at a kiosk in an airport).
  • physical location access transactions e.g., a transaction in which a user may wish to entire a venue such as a train terminal
  • data request access transactions e.g., a transaction in which a user may wish to access information about their plane flight at a kiosk in an airport.
  • a “portable communication device” may be a portable device that can be transported and be operated by a user, and may include one or more electronic components (e.g., an integrated chip, etc.).
  • a portable communication device according to an embodiment of the invention may be in any suitable form including, but not limited to a mobile phone (e.g., smart phone, cellular phone, etc.), a tablet computer, a portable media player, a personal digital assistant device (PDA), a wearable communication device (e.g., watch, bracelet, glasses, etc.), an electronic reader device, a laptop, a netbook, an ultrabook, etc.
  • a portable communication device may also be in the form of a vehicle (e.g., a car) equipped with communication capabilities.
  • Portable communication devices can be configured to communicate with external entities such as remote communication gateways through long range communications technologies and protocols. They may also be configured to communicate with external entities such as access devices using any suitable short or medium range communications technology including Bluetooth (classic and BLE - Bluetooth low energy), NFC (near field communications), IR (infrared), Wi-Fi, etc.
  • Bluetooth classic and BLE - Bluetooth low energy
  • NFC near field communications
  • IR infrared
  • Wi-Fi etc.
  • a "portable transaction device” may be a portable device that can be used to conduct a transaction.
  • a portable transaction device may include a storage technology (e.g., electronic memory, magnetic stripe, etc.) to store credentials or tokens associated with an account of a user.
  • a portable transaction device can be in any of the forms described above with respect to the portable communication device, or in the form of a card (e.g., integrated chip card, magnetic stripe card) or a fob, etc.
  • the portable transaction device and the portable communication device may be the same device, and need not be separate devices.
  • Specific examples of portable transaction devices can include wearable devices, payment cards such as credit, debit, and prepaid cards, vehicles with remote communication capabilities, etc.
  • a "server computer” may include a powerful computer or cluster of computers.
  • the server computer can be a large mainframe, a minicomputer cluster, or a group of servers functioning as a unit.
  • a server computer may be a database server coupled to a Web server.
  • a server computer may comprise one or more computational apparatuses and may use any of a variety of computing structures, arrangements, and compilations for servicing the requests from one or more client computers.
  • An "access device” may be any suitable device for providing access to an external computer system.
  • An access device may be in any suitable form.
  • Some examples of access devices include point of sale (POS) devices, cellular phones, PDAs, personal computers (PCs), tablet PCs, hand-held specialized readers, set-top boxes, electronic cash registers (ECRs), automated teller machines (ATMs), virtual cash registers (VCRs), kiosks, security systems, access systems, Websites, and the like.
  • An access device may use any suitable contact or contactless mode of operation to send or receive data from, or associated with, a portable communication device.
  • any suitable POS terminal may be used and may include a reader, a processor, and a computer-readable medium.
  • a reader may include any suitable contact or contactless mode of operation.
  • exemplary card readers can include radio frequency (RF) antennas, optical scanners, bar code readers, or magnetic stripe readers to interact with a portable communication device.
  • RF radio frequency
  • An "authorization request message” may be an electronic message that is sent to request authorization for a transaction.
  • the authorization request message can be sent to a payment processing network and/or an issuer of a payment card.
  • An authorization request message according to some embodiments may comply with ISO 8583, which is a standard for systems that exchange electronic transaction information associated with a payment made by a user using a payment device or payment account.
  • the authorization request message may include information that can be used to identify an account.
  • An authorization request message may also comprise additional data elements such as one or more of a service code, an expiration date, etc.
  • An authorization request message may also comprise transaction information, such as any information associated with a current transaction, such as the transaction amount, merchant identifier, merchant location, etc., as well as any other information that may be utilized in determining whether to identify and/or authorize a transaction.
  • the authorization request message may also include other information such as information that identifies the access device that generated the authorization request message, information about the location of the access device, etc.
  • An "authorization response message” may be an electronic message reply to an authorization request message.
  • the authorization response message can be generated by an issuing financial institution or a payment processing network.
  • the authorization response message may include, by way of example only, one or more of the following status indicators: Approval -- transaction was approved; Declinetransaction was not approved; or Call Center -- response pending more information, merchant must call the toll-free authorization phone number.
  • the authorization response message may also include an authorization code, which may be a code that a credit card issuing bank returns in response to an authorization request message in an electronic message (either directly or through the payment processing network) to the merchant computer that indicates approval of the transaction. The code may serve as proof of authorization.
  • a “credential” may be any suitable information that serves as reliable evidence of worth, ownership, identity, or authority.
  • a credential may be a string of numbers, letters, or any other suitable characters, as well as any object or document that can serve as confirmation. Examples of credentials include value credentials, identification cards, certified documents, access cards, passcodes and other login information, etc.
  • a "value credential” may be information associated with worth. Examples of value credentials include payment credentials, coupon identifiers, information needed to obtain a promotional offer, etc.
  • a "payment credential” may include any suitable credential that can be used to conduct a payment transaction. Such information may be directly related to the account or may be derived from information related to the account. Examples of account information may include a PAN (primary account number or "account number"), user name, expiration date, CVV (card verification value), dCVV (dynamic card verification value), CVV2 (card verification value 2), CVC3 card verification values, etc.
  • PAN primary account number or "account number”
  • CVV card verification value
  • dCVV dynamic card verification value
  • CVV2 card verification value 2
  • CVC3 card verification values etc.
  • An “application” may be computer code or other data stored on a computer readable medium (e.g. memory element or secure element) that may be executable by a processor to complete a task.
  • a computer readable medium e.g. memory element or secure element
  • a "token” may be a substitute value for a credential.
  • a token may be a string of numbers, letters, or any other suitable characters. Examples of tokens include payment tokens, access tokens, personal identification tokens, etc.
  • a "payment token” may include an identifier for a payment account that is a substitute for an account identifier, such as a primary account number (PAN) and/or an expiration date.
  • a token may include a series of alphanumeric characters that may be used as a substitute for an original account identifier. For example, a token "4900 0000 0000 0001" may be used in place of a PAN "4147 0900 0000 1234.”
  • a token may be "format preserving” and may have a numeric format that conforms to the account identifiers used in existing transaction processing networks (e.g., ISO 8583 financial transaction message format).
  • a token may be used in place of a PAN to initiate, authorize, settle or resolve a payment transaction or represent the original credential in other systems where the original credential would typically be provided.
  • a token value may be generated such that the recovery of the original PAN or other account identifier from the token value may not be computationally derived.
  • the token format may be configured to allow the entity receiving the token to identify it as a token and recognize the entity that issued the token.
  • Tokenization is a process by which data is replaced with substitute data.
  • a payment account identifier e.g., a primary account number (PAN)
  • PAN primary account number
  • substitute number e.g. a token
  • a "token provider” or “token service system” can include a system that services payment tokens.
  • a token service system can facilitate requesting, determining (e.g., generating) and/or issuing tokens, as well as maintaining an established mapping of tokens to primary account numbers (PANs) in a repository (e.g. token vault).
  • PANs primary account numbers
  • the token service system may establish a token assurance level for a given token to indicate the confidence level of the token to PAN binding.
  • the token service system may include or be in communication with a token vault where the generated tokens are stored.
  • the token service system may support token processing of payment transactions submitted using tokens by de-tokenizing the token to obtain the actual PAN.
  • a token service system may include a tokenization computer alone, or in combination with other computers such as a transaction processing network computer.
  • Various entities of a tokenization ecosystem may assume the roles of the token service provider. For example, payment networks and issuers or their agents may become the token service provider by implementing the token services according to embodiments of the present invention.
  • a "token domain” may indicate an area and/or circumstance in which a token can be used.
  • the token domain may include, but are not limited to, payment channels (e.g., e-commerce, physical point of sale, etc.), POS entry modes (e.g., contactless, magnetic stripe, etc.), and merchant identifiers to uniquely identify where the token can be used.
  • a set of parameters i.e. token domain restriction controls
  • the token domain restriction controls may restrict the use of the token with particular presentment modes, such as contactless or e-commerce presentment modes.
  • the token domain restriction controls may restrict the use of the token at a particular merchant that can be uniquely identified. Some exemplary token domain restriction controls may require the verification of the presence of a token cryptogram that is unique to a given transaction. In some embodiments, a token domain can be associated with a token requestor.
  • Token expiry date may refer to the expiration date/time of the token.
  • the token expiry date may be passed among the entities of the tokenization ecosystem during transaction processing to ensure interoperability.
  • the token expiration date may be a numeric value (e.g. a 4-digit numeric value).
  • the token expiry date can be expressed as an time duration as measured from the time of issuance.
  • a "token request message” may be an electronic message for requesting a token.
  • a token request message may include information usable for identifying a payment account or digital wallet, and/or information for generating a payment token.
  • a token request message may include payment credentials, mobile device identification information (e.g. a phone number or MSISDN), a digital wallet identifier, information identifying a tokenization service provider, a merchant identifier, a cryptogram, and/or any other suitable information.
  • Information included in a token request message can be encrypted (e.g., with an issuer-specific key).
  • a "token response message” may be a message that responds to a token request.
  • a token response message may include an indication that a token request was approved or denied.
  • a token response message may also include a payment token, mobile device identification information (e.g. a phone number or MSISDN), a digital wallet identifier, information identifying a tokenization service provider, a merchant identifier, a cryptogram, and/or any other suitable information.
  • Information included in a token response message can be encrypted (e.g., with an issuer-specific key).
  • a “resource provider” may be an entity that can provide a resource such as goods, services, information, and/or access. Examples of resource providers include merchants, data providers such as government agencies, transit agencies, etc.
  • a “merchant” may typically be an entity that engages in transactions and can sell goods or services, or provide access to goods or services.
  • An “acquirer” may typically be a business entity (e.g., a commercial bank) that has a business relationship with a particular merchant or other entity. Some entities can perform both issuer and acquirer functions. Some embodiments may encompass such single entity issuer-acquirers.
  • An acquirer may operate an acquirer computer, which can also be generically referred to as a "transport computer”.
  • An "authorizing entity” may be an entity that authorizes a request. Examples of an authorizing entity may be an issuer, a governmental agency, a document repository, an access administrator, etc. An authorizing entity may operate an authorization computer.
  • An "issuer” may refer to a business entity (e.g., a bank) that issues and optionally maintains an account for a user. An issuer may also issue payment credentials stored on a user device, such as a cellular telephone, smart card, tablet, or laptop to the consumer.
  • An "account identifier" may include an identifier for an account.
  • An account identifier may include an original account identifier associated with a payment account.
  • a real account identifier may be a primary account number (PAN) issued by an issuer for a card account (e.g., credit card, debit card, etc.).
  • PAN primary account number
  • a real account identifier may include a sixteen digit numerical value such as "4147 0900 0000 1234.” The first six digits of the real account identifier (e.g., "414709”), may represent a real issuer identifier (BIN) that may identify an issuer associated with the real account identifier.
  • BIN real issuer identifier
  • a "key” may refer to a piece of information that is used in a cryptographic algorithm to transform input data into another representation.
  • a cryptographic algorithm can be an encryption algorithm that transforms original data into an alternate representation, or a decryption algorithm that transforms encrypted information back to the original data. Examples of cryptographic algorithms may include triple data encryption standard (TDES), data encryption standard (DES), advanced encryption standard (AES), etc.
  • a "cryptographic pattern” may include cryptographically secure data. Examples of cryptographic patterns may include cryptographic hashes, encrypted data, etc.
  • a "resource provider identifier" can include any suitable type of information that can identify a resource provider or a location of a resource provider.
  • resource provider identifiers may include a merchant ID, a store ID, a device ID of a device at a resource provider location, a major value (e.g., a store major value), a minor value (e.g., a store minor value), etc.
  • FIG. 1 illustrates an system 100 according to an embodiment of the invention.
  • the system 100 can be used to authenticate a user that is attempting to use a portable transaction device to conduct a transaction at a resource provider location.
  • System 100 includes a portable communication device 102 (e.g., a mobile phone), a base station 104 (e.g., an in-store Bluetooth low energy (BLE) base station or controller), an access device 106 (e.g., an in-store POS terminal), a portable transaction device 108 (e.g., a card), and a transaction processing system 110.
  • a portable communication device 102 e.g., a mobile phone
  • BLE Bluetooth low energy
  • access device 106 e.g., an in-store POS terminal
  • portable transaction device 108 e.g., a card
  • a transaction processing system 110 e.g., a card
  • the transaction processing system 110 can be in communication with the portable communication device 102 and the access device 106.
  • the base station 104 may be in communication with the portable communication device 102 and the access device 106.
  • a user may operate the portable communication device 102 and a portable transaction device 108. If the user is an authentic user, then the portable communication device 102, the portable transaction device 108, the access device 106, and the base station 104 would all be located at the same location (e.g., the same merchant, the same entrance to a venue, etc.).
  • the communication between portable communication device 102 and transaction processing system 110 can be performed using a secure communication protocol such as transport layer security protocol, secure sockets layer protocol, or other suitable secure communication protocols.
  • a secure communication protocol such as transport layer security protocol, secure sockets layer protocol, or other suitable secure communication protocols.
  • the access device 106 and the base station 104 can be coupled together or communicate in any suitable manner.
  • the access device and the base station 104 may be connected by a physical wire, or may be connected through a short range wireless connection (e.g., as described below with respect to the base station 104).
  • BLE Bluetooth Low Energy
  • Bluetooth Low Energy is a wireless personal area network technology used for transmitting data over short distances. It is designed for low energy consumption and cost, while maintaining a communication range similar to classic Bluetooth.
  • BLE communication consists primarily of "advertisements," or small packets of data, broadcast at a regular interval by beacons (which may be present in or be a base station) or other BLE enabled devices via radio waves.
  • BLE advertising is a one-way communication method. Beacons that want to be “discovered” can broadcast, or “advertise" self-contained packets of data in set intervals. These packets are meant to be collected by devices like smartphones, where they can be used for a variety of smartphone applications to trigger things like push messages, app actions, and prompts.
  • An optimal broadcast interval can be 100 ms. Broadcasting more frequently uses more battery life but allows for quicker discovery by smartphones and other listening devices.
  • Standard BLE has a broadcast range of up to 100 meters.
  • BLE stations can also be present in the base stations in embodiments of the invention. BLE stations can allow for two way communication with a mobile communication device.
  • the transaction processing system 110 which can be implemented as a cloud based system or as a server computer system, can be remotely located with respect to the portable communication device 102, the portable transaction device 108, the access device 106, and the base station 104.
  • Suitable communications networks may be any one and/or the combination of the following: a direct interconnection; the Internet; a Local Area Network (LAN); a Metropolitan Area Network (MAN); an Operating Missions as Nodes on the Internet (OMNI); mesh networks, a secured custom connection; a Wide Area Network (WAN); a wireless network (e.g., employing protocols such as, but not limited to a Wireless Application Protocol (WAP), I-mode, and/or the like); and/or the like.
  • WAP Wireless Application Protocol
  • I-mode I-mode
  • a user may enroll the portable communication device 102 for the transaction service by downloading a transaction application (e.g., a payment application, mobile wallet application, etc.) onto the portable communication device 102.
  • the user then links the portable communication device 102 to one or more portable transaction devices (e.g., the portable transaction device 108).
  • the information regarding the portable communication device 102 and the user may be stored in the transaction processing system 110.
  • the merchant store may also include the access device 106 and the base station 104.
  • base station 104 at the merchant store detects the enrolled portable communication device 102 and sends a wireless transmission (e.g., a beacon) to the portable communication device 102.
  • the wireless transmission may include a merchant identifier (MID), and a store ID (SID). It may optionally include date/time information such as the current date and/or time (e.g., a time stamp).
  • the wireless transmission may include a base station ID, and portable communication device 102 may retrieve the MID and SID from the cloud or a remote server that has a mapping of base station IDs to the particular merchant and store where base station 104 resides.
  • the wireless transmission may include a major value such as a store major value, a minor value such as store minor value, and a UUID.
  • the UUID may be a 16 byte string that is used to differentiate a large group of related base stations.
  • the major value may be a two byte string used to distinguish a smaller subset of base stations within the larger group.
  • the minor value may be a two byte string that is used to identify individual base stations. Together, the UUID, the major value and the minor value could be used to determine a specific physical location such as a merchant store.
  • portable communication device 102 may send a cryptographic pattern request to the transaction processing system 110 to request a cryptographic pattern from transaction processing system 110.
  • the cryptographic pattern request may include device information such as a device ID identifying the portable communication device 102 and/or a device fingerprint of portable communication device 102, as well as any or all of the data obtained from the base station 104 (e.g., the MID, SID, UUID, major, and minor), and time information (e.g., date and/or time) and also a random number to prevent replays.
  • device identifiers may include IMEI numbers, MSISDN numbers, UDID (Universal Device ID) numbers, SIM card numbers, etc.
  • Examples of device fingerprints may include unique serial numbers assigned to unique hardware, web browser fingerprints, etc.
  • Device information may also include account identifiers or tokens specifically tied to a portable communication device 102.
  • the device information in this example does not include real user credentials such as a real PAN.
  • real credentials may be sent by the portable communication device 102 to the transaction processing system 110.
  • transaction processing system 110 validates the device ID and device fingerprint against previous information provided from portable communication device 102 during enrollment to ensure that portable communication device 102 is an enrolled device, and that portable communication device 102 has not been hacked (e.g., jail-broken) or otherwise compromise with malware or viruses.
  • the transaction processing system 110 looks up an account identifier (e.g., a PAN) and expiration date (or token) associated with the portable communication device 102 using the device ID and/or device fingerprint (assuming that the PAN was not transmitted by the portable communication device 102). This can be done by electronically searching a database for the credential or token.
  • account identifier e.g., a PAN
  • expiration date or token
  • the transaction processing system 110 uses a cryptographic pattern (e.g., PAN pattern).
  • the cryptographic pattern can be based on the account identifier, the expiration date of the account identifier, and base station information such as one or more of the MID, SID, UUID, store major, store minor and the current date.
  • a nonce may be added to the cryptographic pattern to prevent replay attacks.
  • the cryptographic pattern can be the result of hashing these data elements and taking a predetermined number of bytes of the hashed data elements. The predetermined number of bytes may be the most significant four bytes of the hash result.
  • transaction processing system 110 may sign the cryptographic pattern using a private key of a public/private key pair. The transaction processing system 110 may also log the time of the cryptographic pattern request.
  • transaction processing system 110 responds to the cryptographic pattern request by sending the generated cryptographic pattern to portable communication device 102.
  • step S105 after the portable communication device 102 receives the cryptographic pattern, the portable communication device 102 forwards the cryptographic pattern to base station 104.
  • step S106 after the base station 104 receives the cryptographic pattern, the base station 104 sends the cryptographic pattern to the access device 106.
  • the cryptographic pattern is signed by transaction processing system 110
  • either base station 104 or access device 106 can be provided with a corresponding public key of the private/public key pair to validate the signature.
  • the access device 106 stores the cryptographic pattern (e.g., in a table).
  • the user conducts a transaction by interacting portable transaction device 108 with access device 106.
  • the portable transaction device 108 may interact with the access device 106 using any suitable contact based method (e.g., using a magnetic stripe or electrical contacts) or contactless based method (e.g., using NFC, Bluetooth, Wi-Fi, etc.).
  • access device 106 reads the account credentials (e.g., account identifier such as a PAN, expiration date, etc.) stored on portable transaction device 108, and calculates its own cryptographic pattern. For example, access device 106 may calculate the cryptographic pattern by hashing the account identifier and expiration date read from portable transaction device 108, the MID and SID which access device 106 knows, and the current date, and taking the most significant four bytes of the hash result. Access device 106 then compares the locally generated cryptographic pattern against the list of cryptographic patterns received from base station 104, and makes a local decision regarding the processing options for this transaction.
  • account credentials e.g., account identifier such as a PAN, expiration date, etc.
  • a matching cryptographic pattern can be used as a cardholder (e.g., user) verification method (CVM) indicating to the issuer (or other authorizing entity) that the portable communication device 102 is present. For example, if the locally generated cryptographic pattern matches a previously received cryptographic pattern, access device 106 may omit prompting the user for entry of a PIN or signature to improve the user experience since the matching cryptographic pattern verifies that the portable communication device 102 is present. Also, since the presence of the portable communication device 102 has been confirmed as being present, additional user verification methods (such as requests for PINs or signatures) need not be performed.
  • CVM cardholder verification method
  • Access device 106 may then generate an authorization request message with a transaction verification result (TVR).
  • the transaction verification result can be an example of verification data and can be in any suitable form, and can be a bit set to indicate that the user's portable communication device 102 is present with the portable transaction device 108 at the merchant store.
  • access device 108 sends the authorization request message including one or more of account credentials, a transaction cryptogram and the TVR bit to transaction processing system 110.
  • the transaction processing system 110 can analyze the authorization request message to determine that the user of the portable communication device 102 is also conducting the transaction at the access device 206. In some embodiments, this can be done by determining if the TVR is present in the authorization request message and determining if the TVR indicates that the access device 106 previously and successfully performed a cryptographic pattern matching process. If the TVR bit in the authorization request message indicates presence of the user's portable communication device 102, transaction processing system 110 may verify whether a cryptographic pattern request was recently received within an allowable time window for the particular account identifier. An allowable time window may depend upon the circumstances of the particular location.
  • the allowable time period may be the normal arrival and waiting time to departure on a particular vehicle to a particular destination. If the transaction is a department store, than the time window could be a couple of hours or less. If the transaction is at a fast food store, then the transaction time may be 30 minutes or less.
  • the transaction processing system 110 may also determine whether or not the transaction is authorized based upon other factors including whether there are sufficient funds or credit in the account that is being used to conduct the transaction. In other embodiments, the transaction processing system 110 may forward the authorization request to a downstream authorizing computer (not shown) and the authorizing computer may determine whether or not the transaction is authorized. If an authorizing computer makes the authorization decision, it will transmit an authorization response message back to the transaction processing system 110 with the authorization result.
  • transaction processing system 110 sends the authorization response message to access device 106 indicating whether the transaction is approved or declined.
  • a clearing and settlement process can take place.
  • step S111 is used by the transaction processing system 110 to validate authorization requests against a record of cryptographic pattern requests. Otherwise, fraudsters may potentially come into a store with stolen cards and send their own, properly calculated cryptographic patterns to base station 104, and thereby bypass other CVMs when paying with the stolen cards. This kind of fraud can be caught by checking for each transaction with such a setting that transaction processing system 110 previously (and within the appropriate time window) had received a corresponding cryptographic pattern request.
  • One such mechanism can be where transaction processing system 110 signs the cryptographic pattern.
  • the merchant can trust that any cryptographic pattern it sees comes from the transaction processing system 110 and not from a fraudster with stolen cards because the fraudster would not have the proper key to sign the cryptographic pattern.
  • Base station 104 or access device 106 can have a public key with which to validate the signature.
  • the signature may contain a nonce (e.g. a counter or random number) to avoid replay.
  • the link between the base station 104 and access device 106 can communicate over a trusted connection to prevent a fraudster from injecting fake cryptographic patterns over that connection.
  • transaction processing system 110 may also perform audits or spot checks to verify received authorization requests against recent cryptographic pattern requests to ensure that a rogue merchant is not injecting its own fake cryptographic patterns, or just setting the corresponding bit regardless of the presence of any portable communication device.
  • base station 104 can ping portable communication device 102 again.
  • a mid-range wireless communication such as BLE is well-suited to estimate the distance to the portable communication device 102, so that the base station 104 can detect how far away the portable communication device 102 is to access device 106.
  • a time-out for the cryptographic patterns can also implemented to force a renewal or refresh if passed. Different time windows may be used depending on the kind of store (fast food vs. furniture, for example).
  • FIG. 2 illustrates a system 200 that can utilize a base station that operates only as a beacon.
  • System 200 includes similar components as those described with reference to FIG. 1 .
  • Elements 202, 204, 206, 208, and 210 in FIG. 2 can be similar to elements 102, 104, 106, 108, and 110 in FIG. 1 , respectively.
  • the transaction flow shown in FIG. 2 can be referred to as a "beacon-only" flow, because the base station 204 at the merchant store does not need to detect the presence of the portable communication device 202, but simply provides a one-way beacon that informs portable communication devices in the store about the merchant ID and store ID (or UUID, major, and/or minor) for that store.
  • Portable communication device 202 can be registered and enrolled with the transaction processing system 210.
  • the portable communication device 202 can then use the information from the base station 204 and can transmit it to transaction processing system 210 along with information from the portable communication device 202.
  • This enables the transaction processing system 210 to see a transaction from an enrolled portable transaction device 208 and check if transaction processing system 210 has received information that the corresponding portable communication device 202 is in that store.
  • This can be used by the transaction processing system 210 to conduct a stand-in approval/decline decision, or to forward this information to the issuer for the same purpose.
  • a merchant would not know if the portable transaction device 208 is accompanied by a portable communication device 202 before transmitting the authorization request message.
  • This scheme does not require additional logic at the access device 206, and hence reduces the need to modify existing resource provider equipment.
  • base station 204 at the merchant store emits a wireless transmission (e.g., a beacon) with a beacon ID.
  • base station information 204 such as a UUID, a store major, and a store minor may be emitted in the wireless transmission.
  • portable communication device 202 receiving the beacon ID may send a device ID identifying the portable communication device 202, a device fingerprint of portable communication device 202, the received beacon ID, and date/time information (e.g., date and/or time) to transaction processing system 210.
  • the portable communication device 202 could alternatively transmit credentials or a token instead of the device ID and/or device fingerprint.
  • the communication between portable communication device 202 and transaction processing system 210 can be performed using a secure communication protocol such as transport layer security protocol, secure sockets layer protocol, or other suitable secure communication protocols.
  • transaction processing system 210 validates the device ID and device fingerprint against previous information provided from portable communication device 202 during enrollment to ensure that portable communication device 202 is an enrolled device, and that portable communication device 202 has not been hacked (e.g., jail-broken) or otherwise compromised with malware or viruses.
  • Transaction processing system 210 looks up an account identifier (e.g., a PAN) and expiration date associated with the portable communication device 202, associates the account identifier to the beacon ID, and stores all of this information indicating that the user of portable communication device 202 is currently at a merchant store identified by the beacon ID in a database.
  • account identifier e.g., a PAN
  • the beacon ID may also have been stored in the database along with an additional resource provider identifier such as a merchant ID and/or an access device ID (e.g., a terminal ID).
  • an additional resource provider identifier such as a merchant ID and/or an access device ID (e.g., a terminal ID).
  • the PAN or a token of the PAN could have been sent to the transaction processing system 210 by the portable communication device 202 in place of the device ID and/or device fingerprint.
  • the transaction processing system 110 may also log the date and/or time when the request was received.
  • the user conducts a transaction by interacting portable transaction device 208 with access device 206 at a later time.
  • the portable transaction device 208 may interact with the access device 206 using any suitable contact based method (e.g., using a magnetic stripe or electrical contacts) or contactless based method (e.g., using NFC, Bluetooth, Wi-Fi, etc.).
  • the access device 206 reads the account credentials (e.g., account identifier such as a PAN, expiration date, etc.) stored on portable transaction device 208, and generates an authorization request message.
  • the authorization request message may include at least a transaction amount, a credential from the portable transaction device 208, a terminal ID and/or a merchant ID.
  • the access device 206 sends the authorization request message to transaction processing system 210.
  • the transaction processing system 110 (or a server computer in it) can analyze the authorization request message to determine that the user of the portable communication device 102 is also conducting the transaction at the access device 206.
  • the transaction processing system can use the account credentials (e.g., account identifier) from the received authorization request message to find any associated beacon ID.
  • Transaction processing system 210 uses the beacon ID to determine if any merchant ID or terminal ID registered to the beacon ID matches the MID or terminal ID from the received authorization request message. If a match is found, then the transaction processing system 210 can verify that in fact the authentic user is in fact present at the specified location.
  • the transaction processing system 210 may then send an authorization response message to access device 206 indicating whether an enrolled user was present based on whether there is match.
  • the transaction processing system 210 may perform authorization decisioning, or a downstream authorization computer may decide if the transaction is authorized.
  • a clearing and settlement process can take place.
  • the transaction processing system 210 associates the information (e.g., beacon ID) provided by the base station 204 via the portable communication device 202 with the merchant ID and the terminal ID received in an authorization request message.
  • the information e.g., beacon ID
  • the base station 204 can be a device that is not tied to any particular merchant.
  • Each base station can be paired with a test transaction device with a test bank identification number (BIN), so that the test transaction device cannot be used for genuine purchases.
  • Each test transaction device can be equipped with a unique test account identifier.
  • the beacon ID provided by the base station is tied to the test transaction device's unique test account identifier.
  • Each base station has a unique beacon ID, which transaction processing system 210 can associate to the unique test account identifier on the test transaction device.
  • a merchant (or other resource provider) can install such a base station in the store, use the test transaction device that comes with it, and perform a transaction in each of their access devices.
  • transaction processing system 210 can recognize the test account identifiers in the authorization request messages.
  • the authorization request messages may also include merchant IDs, access device IDs and other information.
  • the transaction processing system 210 can then determine that the transactions were conducted using the particular test transaction device used in conjunction with setting up the base stations. At this point, transaction processing system 210 uses the test account identifier to look up the beacon ID paired with the particular test transaction device. Transaction processing system 210 then creates an association from that beacon ID to the merchant ID and terminal ID from authorization request message for the transaction.
  • transaction processing system 210 associates the MID and terminal IDs with that beacon ID.
  • that portable communication device can transmit the beacon ID to transaction processing system 210, together with its device ID and device fingerprint, in effect telling transaction processing system 210 that the user is in that particular store.
  • the access device has been illustrated as a POS terminal, both the interactive and beacon only scenarios can also be used at an access device such as an ATM for the issuer to gain confidence that the withdrawal is legitimate.
  • an access device such as an ATM for the issuer to gain confidence that the withdrawal is legitimate.
  • the form factor of the ATM is different from a POS terminal, the flows would be similar to those described above.
  • the portable communication device is illustrated as a mobile phone, and the portable transaction device is illustrated as a card, in some embodiments other pairs of devices can be used.
  • the portable communication device can be a wearable device such as a watch, and the watch can be used with a mobile phone or a card acting as the portable transaction device to perform the transaction flows described herein.
  • the portable communication device can be a vehicle equipped with communication capabilities operated by the user at a drive-thru, and the vehicle can be used with a mobile phone, a wearable device, or a card acting as the portable transaction device to perform the transaction flows described herein.
  • BLE Bluetooth low energy
  • the techniques described herein may also differ from GPS location-based verification in that according to some embodiments, the merchant can be provided with an indication as to whether the portable communication device is present at the merchant before the user conducts a transaction to allow the merchant to perform its own risk assessment of the transaction (e.g., to decide whether to omit requesting the user to enter a PIN or signature at checkout).
  • FIG. 3 illustrates a system 300 that can implement a biometric recognition process.
  • System 300 includes similar components as those described with reference to FIGs. 1 and 2 .
  • Elements 302, 304, 306, and 310 can be similar to elements 102 and 202, 104 and 204, 106 and 206, and 110 and 210 in FIGs. 1 and 2 , respectively.
  • FIG. 3 also illustrates a camera 312 (an example of a biometric acquisition device) which can take an image of a user's face.
  • a camera is disclosed as a biometric acquisition device, other types of biometric acquisition devices and other types of biometric samples may be obtained. For example, fingerprints, voice samples, iris scans, and other types of biometric samples may be captured by suitable biometric acquisition devices and converted to corresponding biometric templates (which may be date representing biometric samples such as photographs).
  • facial recognition can help to disambiguate customers at or near the cash register.
  • the scenario is that the store has sensed the presence of the customer's mobile device as they enter the store.
  • information is passed back to the transaction processing system or the user's issuer that identifies the user (e.g., a payment cardholder) and also which store they are located at.
  • a camera in the store can now capture images of the user's face and use those images to identify the user. The identification can be done in several different ways.
  • the transaction processing system 310 can forward a reference picture of the user's face to the store to use for identification, together with a payment token.
  • the store would use the reference picture to perform the identification, and once identification had been achieved, could use the payment token for payment.
  • Identification would be feasible because the store would have a limited number of images to compare against, limited by the number of enrolled customers currently in that particular store.
  • identification would be possible because of the limited number of people in any particular store at any particular time.
  • the payment can be initiated upon confirmation of the identity of the user at the cash register, together with capture in some form of that user's consent to pay the specified amount.
  • This capture could be done photographically as well, and supplied upon demand by the merchant to the transaction processing system 310.
  • the user 320 could have, but does not need to have a portable transaction device.
  • a user 320 in possession of a portable communication device 302 may enter a store with the base station 304.
  • the base station 304 detects an enrolled portable communication device 302, and transmits a merchant ID, store ID, and date to the portable communication device 302.
  • the base station 304 could also or alternatively transmit a UUID, store major, and store minor to the portable communication device 302.
  • the portable communication device 302 transmits a device ID, device fingerprint, merchant ID, store ID, and a date and time to the transaction processing system 310.
  • the transaction processing system 310 validates the session and device fingerprint against the device ID. If the device fingerprint and device ID are valid, then the transaction processing system 310 can determine an account credential or token from the received device information. In some embodiments, the transaction processing system 310 can look up a primary account number associated with the device fingerprint and/or the device ID. Using the primary account number, the transaction processing system 310 can look up a reference photo and a payment token associated with the primary account number. The reference photo may have been previously provided to the transaction processing system 310 by the user, and the data representing the reference photo may be in any suitable form (e.g., a bitmap image file, a JPEG file, GIF file, etc.).
  • a first biometric template such as the data representing the reference photo ("reference photo data"), and the payment token are transmitted by the transaction processing system 310 to the portable communication device 302.
  • the first biometric template and the payment token are transmitted from the portable communication device 302 to the base station 304.
  • the base station 304 may send a signal to the camera 312 to cause it to take a picture of the user's face 320.
  • a second biometric template such as data representing the picture of the user's face may be provided by the camera 312 to the base station 304.
  • the base station 304 may compare the first and second biometric templates (e.g., comparing the data representing the picture of the user's face with the reference photo data received from the portable communication device 302). If there the received data match, then as shown in step S308, the payment token can be transmitted to the access device 306.
  • this example describes the base station 304 doing the comparison of the captured photo of the user and the reference photo data, it is understood that this comparison can be performed by any suitable device or even by store personnel.
  • the access device 306 may generate and then transmit an authorization request message to the transaction processing system 310.
  • the authorization request message may comprise the payment token, an expiration date, a transaction amount, a merchant ID, a terminal ID, and other information.
  • the transaction processing system 310 may determine the primary account number from the token and may authorize or not authorize the transaction.
  • the transaction processing system 310 may forward the authorization request message with the primary account number to an authorizing computer (not shown in FIG. 3 ) for authorization and the authorizing computer may determine whether or not to authorize the transaction.
  • the transaction processing system 310 may transmit an authorization response message to the access device 306. If the authorization request message was previously transmitted to an authorizing computer, then the transaction processing system 310 may first receive the authorization response message from the authorizing computer. As noted above, a clearing and settlement process may be subsequently performed.
  • the system and method described above with respect to FIG. 3 has a number of advantages.
  • the user does not need to have a separate portable transaction device.
  • the user may simply enter a location, and a resource provider or a device operated by the resource provider can confidently allow the transaction to proceed by simply validating a biometric sample of the user.
  • FIG. 4 shows a block diagram of a system 400 according to an embodiment of the invention.
  • the system includes a portable transaction device 408, one or more terminals 406, a base station 404, a portable communication device 402, an issuer server 422, and transaction processing system 410.
  • the access devices 406 may include verification processing to query the MLC-IS Verification Module to determine the user's physical presence in the store.
  • Terminal verification result (TVR) bits can indicate that authentication has been performed. With these bits set, terminals can take the processing results into account while performing transactions.
  • the verification result may be carried in other data fields in the authorization request message.
  • the transaction processing system 410 comprises a mobile gateway 410A, a network interface 410B, and an MLC (mobile location confirmation) platform 410C in communication with each other.
  • the MLC platform may also comprise a store check in service 410C-1, an enrollment service 410C-2, a location update service 410C-3, an MLC database 410C-4, MLC backend servers 410C-5, and one or more data processors 410C-6.
  • the transaction processing system 410 may include data processing subsystems, networks, and operations used to support and deliver authorization services, exception file services, transaction scoring services, and clearing and settlement services.
  • An exemplary transaction processing system may include VisaNetTM.
  • Transaction processing systems such as VisaNetTM are able to process credit card transactions, debit card transactions, and other types of commercial transactions.
  • VisaNetTM in particular, may include a VIP system (Visa Integrated Payments system) which processes authorization requests and a Base II system which performs clearing and settlement services.
  • the store check in service 410C-1 (working in conjunction with the processor 410C-6) can decode the base64 strings of UUID major and minor into the binary strings using base64 data decoding. If the decoding fails, the store check in service 410C-1 can return a predetermined status code and the corresponding message as the API response. Otherwise, the store check in service 410C-1 searches for the primary account number(s) (PAN) and PAN expiration date that are associated with the device ID. If PAN(s) and PAN expiration date(s) are found, the store check in service 410C-1 can perform the following for each pair of PAN and PAN expiration date:
  • the portable communication device 402 may comprise a mobile location agent 402A.
  • the mobile location agent 402A may be programmed to provide for beacon detection capability - this capability is required to wake up or notify the mobile location agent 402A once the cardholder/mobile device owner enters into a merchant store where the beacon monitors. It may also provide for BLE connection management - the mobile location agent 402A can be used to set up and manage a BLE connection with the base station to send store check in information to the store controller BLE.
  • the base station 404 may be in any suitable form (e.g., a single device with a single housing, multiple devices with multiple housings, any suitable combination of software and/or hardware, etc.) comprise a BLE beacon 404A, a BLE station 404B, and an MLC verification module 404C.
  • the BLE beacon 404A is a device that constantly advertises a predefined BLE data package. It can be used to notify the user's portable communication device when the user walks into a resource provider store (e.g., a merchant store).
  • the BLE station 404A can be a device that exchanges information with the portable communication device 402 over the BLE channel. It is used to receive the cryptographic patterns from the portable communication device 402.
  • the verification module 404C can be used to store the cryptographic patterns, receive the hash matching request from the access device, perform the hash matching, and return the hash matching results back to the access device. Although the verification module 404C is illustrated in the base station 404, it may be present in other devices (e.g., the access device) in other embodiments of the invention.
  • FIG. 5 illustrates a block diagram of a portable communication device 501, according to some embodiments.
  • Portable communication device 501 may include device hardware 504 coupled to a memory 502.
  • Device hardware 504 may include a processor 505, a communications subsystem 508, use interface 506, and a display 507 (which may be part of user interface 506).
  • Processor 505 can be implemented as one or more integrated circuits (e.g., one or more single core or multicore microprocessors and/or microcontrollers), and is used to control the operation of portable communication device 501.
  • Processor 505 can execute a variety of programs in response to program code or computer-readable code stored in memory 502, and can maintain multiple concurrently executing programs or processes.
  • Communications subsystem 509 may include one or more RF transceivers and/or connectors that can be used by portable communication device 501 to communicate with other devices and/or to connect with external networks.
  • User interface 506 can include any combination of input and output elements to allow a user to interact with and invoke the functionalities of portable communication device 501.
  • display 507 may be part of user interface 506.
  • Memory 502 can be implemented using any combination of any number of non-volatile memories (e.g., flash memory) and volatile memories (e.g., DRAM, SRAM), or any other non-transitory storage medium, or a combination thereof media.
  • Memory 502 may store a mobile OS 514 and a mobile application environment 510 where one or more mobile applications reside 512 (e.g., a payment application such as a mobile wallet application, merchant application, mobile location application, etc.) to be executed by processor 505.
  • a mobile application environment 510 where one or more mobile applications reside 512 (e.g., a payment application such as a mobile wallet application, merchant application, mobile location application, etc.) to be executed by processor 505.
  • FIG. 6 shows a diagram of a transaction processing system 600 that can incorporate any of the previously described systems.
  • the transaction processing system 601 includes a user device 601 that is operated by a user 602.
  • the user device can interact with an access device 604, and can be the previously described portable transaction device.
  • the access device 604 is in communication with an authorization computer 612 via a resource provider computer 606, a transport computer 608, and a processing network 610.
  • a token service system 614 may be in communication with the processing network 610 (or may be incorporated within it.
  • the processing network 610 may include the previously described transaction processing system.
  • the user may use the user device 601 to interact with the access device 604.
  • the access device may then generate and transmit an authorization request message to the processing network 610 via the resource provider computer 606 and transport computer 608.
  • the processing network 610 may retrieve real credentials associated with the token from the token service system 614 and may replace the token with the real credentials in the authorization request message.
  • the authorization request message may then be forwarded to the authorization computer 612 for an authorization decision.
  • the authorization computer 612 After the authorization computer 612 makes the authorization decision, it returns an authorization response back to the access device 604 via the processing network 610, the transport computer 608, and the resource provider computer 606. If desired, the processing network 610 may replace the real credentials in the authorization response message with a previously provided token. As noted above, a clearing and settlement process may be subsequently performed.
  • FIG. 7 shows a flowchart illustrating a hash matching process according to an embodiment of the invention.
  • the hash matching process can be performed by a base station, access device, and/or transaction processing system, as described above in FIGs. 1 and 2 .
  • step S702 the hash matching process can begin.
  • step S704 a decision is made, by a device, as to whether any data elements are missing and/or if the format is not supported. In step S714, if there are data elements that are missing and/or if the format is not supported, then an invalid request indicator is generated by the device.
  • step S706 a decision is made, by the device, as to whether any cryptographic patterns are in the device being used.
  • step S708 if there are cryptographic patterns in the device, the received cryptographic pattern is processed by the device.
  • step S710 a determination is made by the device as to whether a generated cryptographic pattern matches a stored cryptographic pattern.
  • a success indicator may be created by the device.
  • step S712 if there is not a match, the device determines if there are more cryptographic patterns in the module. In step S718, if there are no further cryptographic patterns to test, then a failure indicator may be generated.
  • step S720 the cryptographic pattern matching process ends.
  • Some entities or components described herein may be associated with or operate one or more computer apparatuses to facilitate the functions described herein. Some of the entities or components described herein, including any server or database, may use any suitable number of subsystems to facilitate the functions.
  • Examples of such subsystems or components can be interconnected via a system bus. Additional subsystems such as a printer, keyboard, fixed disk (or other memory comprising computer readable media), monitor, which is coupled to display adapter, and others are shown. Peripherals and input/output (I/O) devices, which couple to I/O controller (which can be a processor or other suitable controller), can be connected to the computer system by any number of means known in the art, such as serial port. For example, serial port or external interface can be used to connect the computer apparatus to a wide area network such as the Internet, a mouse input device, or a scanner.
  • the interconnection via system bus allows the central processor to communicate with each subsystem and to control the execution of instructions from system memory or the fixed disk, as well as the exchange of information between subsystems.
  • the system memory and/or the fixed disk may embody a computer readable medium.
  • Embodiments of the invention provide for a number of advantages. For example, by using an in store base station, embodiments of the invention can accurately determine if an authentic user is actually conducting a transaction with a portable transaction device. A fraudster who does not have the user's portable communication device will not be able to conduct a transaction using the user's portable transaction device. Thus, unauthorized access to locations, unauthorized payment transactions, and unauthorized data requests can be prevented using embodiments of the invention. Further, as is apparent above, the verification of the user's authenticity at the location of the transaction can be verified before the user ever gets to the point of starting the transaction and the verification processing used in embodiments of the invention is secure.
  • additional authentication processes e.g., PIN or password requests, or signature
  • PIN or password requests, or signature PIN or password requests, or signature
  • Messages between the computers, networks, and devices described herein may be transmitted using a secure communications protocols such as, but not limited to, File Transfer Protocol (FTP); HyperText Transfer Protocol (HTTP); Secure Hypertext Transfer Protocol (HTTPS), Secure Socket Layer (SSL), ISO (e.g., ISO 8583) and/or the like.
  • FTP File Transfer Protocol
  • HTTP HyperText Transfer Protocol
  • HTTPS Secure Hypertext Transfer Protocol
  • SSL Secure Socket Layer
  • ISO e.g., ISO 8583
  • An additional embodiment is directed to a method comprising: receiving, by a portable communication device from a base station, a resource provider identifier; transmitting, by the portable communication device, the resource provider identifier and device information to a transaction processing system, wherein the transaction processing system receives the resource provider identifier and device information.
  • Another embodiment of the invention can further include, wherein the transaction processing system generates a cryptographic pattern, and the method further includes: receiving the cryptographic pattern; and transmitting the cryptographic pattern to the base station, which transmits the cryptographic pattern to an access device, which generates another cryptographic pattern using data from a portable transaction device and thereafter determines if the authentic user is present, and transmits verification data to the transaction processing system.
  • Another embodiment of the invention can be directed to a portable communication device that includes code, executable by a processor, to perform the above described methods.
  • a futher additional embodiment of the invention can be directed to a method comprising: receiving, by an access device, a first cryptographic pattern from a base station; determining a second cryptographic pattern from a received credential from a portable transaction device, and a stored resource provider identifier; comparing the first and second cryptographic patterns; and determinng verification data based upon comparing the first and second cryptographic patterns.
  • inventions include an access device comprising code, executable by the processor, for performing the above-described method.
  • Still another embodiment of the invention can be directed to a method comprising: receiving, by a portable communication device, a resource provider identifier from a base station; transmitting the resource provider identifier and device information to a transaction processing system; receiving, by the portable communication device, from the transaction processing system, a token and a first biometric template; and transmitting, the token and the first biometric template to the base station.
  • the base station may cause a biometric acquisition device to capture a second biometric template of the user and may compare them. If they match, then the token may be provided to an access device to complete a transaction.
  • inventions are directed to portable communication devices comprising code, executable by a processor, for performing the above-noted method.
  • Still another embodiment of the invention is directed to a method comprising: providing by a base station, a resource provider identifier to a portable communication device; receiving, from the portable communication device, a first biometric template and a token; causing a biometric acquisition device to produce a second biometric template; comparing the first and second biometric templates; and if the first and second biometric templates match, then providing the token to an access device.
  • inventions are directed to portable communication devices comprising code, executable by a processor, for performing the above-noted method.
  • embodiments described above relate to authentication processing, other types of processing can be performed using embodiments of the invention.
  • embodiments of the invention can verify that a user is actually at a specific location, embodiments of the invention could also be used to provide incentives or rewards to a user.
  • any of the software components or functions described in this application may be implemented as software code to be executed by a processor using any suitable computer language such as, for example, Java, C++ or Perl using, for example, conventional or object-oriented techniques.
  • the software code may be stored as a series of instructions, or commands on a computer readable medium, such as a random access memory (RAM), a read only memory (ROM), a magnetic medium such as a hard-drive or a floppy disk, or an optical medium such as a CD-ROM.
  • RAM random access memory
  • ROM read only memory
  • magnetic medium such as a hard-drive or a floppy disk
  • optical medium such as a CD-ROM.
  • Any such computer readable medium may reside on or within a single computational apparatus, and may be present on or within different computational apparatuses within a system or network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Strategic Management (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Finance (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Mobile Radio Communication Systems (AREA)

Claims (9)

  1. Procédé comprenant :
    la réception (S102), par un ordinateur de serveur et à un premier moment, d'informations de dispositif et d'un identifiant de fournisseur de ressource depuis un dispositif de communication portable d'un utilisateur, dans lequel l'identifiant de fournisseur de ressource a été reçu par le dispositif de communication portable depuis une station de base qui est située à un emplacement de fournisseur de ressource identifié par l'identifiant de fournisseur de ressource ;
    la recherche électronique (S103), par l'ordinateur de serveur, dans une base de données d'un identifiant de compte associé au dispositif de communication portable à l'aide des informations de dispositif ;
    le hachage (S103), par l'ordinateur de serveur, d'au moins l'identifiant de fournisseur de ressource et l'identifiant de compte pour générer un motif cryptographique ;
    la transmission (S104), par l'ordinateur de serveur, du motif cryptographique généré via le dispositif de communication portable, puis la station de base à un dispositif d'accès qui stocke le motif cryptographique ;
    la réception (S110), par l'ordinateur de serveur depuis le dispositif d'accès impliqué dans une transaction menée avec un dispositif de transaction portable d'un utilisateur à un deuxième moment qui est ultérieur au premier moment, d'un message de demande d'autorisation comprenant un identifiant de compte reçu par le dispositif d'accès depuis le dispositif de transaction portable au deuxième moment, le message de demande d'autorisation étant généré en cas d'identification par le dispositif d'accès d'une correspondance entre le motif cryptographique généré et stocké et un motif cryptographique généré au deuxième moment par le dispositif d'accès hachant l'identifiant de fournisseur de ressource et l'identifiant de compte qui est reçu depuis le dispositif de transaction portable d'un utilisateur au deuxième moment, la correspondance dudit motif cryptographique généré au deuxième moment et dudit motif cryptographique stocké conformant ainsi la présence du dispositif de communication portable au niveau du dispositif d'accès au deuxième moment ; et
    la détermination (S111), par l'ordinateur de serveur, sur la base du message de demande d'autorisation, du fait que l'utilisateur du dispositif de communication portable mène la transaction au niveau du dispositif d'accès avec le dispositif de transaction portable au deuxième moment.
  2. Procédé selon la revendication 1, dans lequel le dispositif de transaction portable, le dispositif d'accès et le dispositif de communication portable se trouvent tous à l'emplacement de fournisseur de ressource.
  3. Procédé selon la revendication 2, dans lequel le dispositif d'accès génère le motif cryptographique au deuxième moment à partir d'un identifiant de fournisseur de ressource stocké et de l'identifiant de compte reçu depuis le dispositif de transaction portable au deuxième moment, et dans lequel si le motif cryptographique stocké et le motif cryptographique généré au deuxième moment correspondent, puis des données de vérification sont incluses dans le message de demande d'autorisation, et
    dans lequel la détermination (S111), par l'ordinateur de serveur, du message de demande d'autorisation comprend la détermination du fait que le message de demande d'autorisation contient les données de vérification, pour ainsi déterminer que cet utilisateur du dispositif portable utilise le dispositif de transaction portable pour mener la transaction au niveau du dispositif d'accès au deuxième moment.
  4. Procédé selon la revendication 2 ou 3, dans lequel le dispositif de transaction portable et le dispositif de communication portable sont le même dispositif.
  5. Procédé selon l'une quelconque des revendications précédentes, dans lequel la réception (S102), par l'ordinateur de serveur au premier moment, des informations de dispositif et de l'identifiant de fournisseur de ressource depuis le dispositif de communication portable de l'utilisateur comprend :
    la réception, par l'ordinateur de serveur au premier moment, des informations de dispositif, de l'identifiant de fournisseur de ressource et d'une date depuis le dispositif de communication portable.
  6. Ordinateur de serveur (110) comprenant :
    un processeur ; et
    un support lisible par ordinateur comprenant un code exécutable par le processeur pour la mise en oeuvre d'un procédé comprenant :
    la réception d'informations de dispositif et d'un identifiant de fournisseur de ressource depuis un dispositif de communication portable (102) d'un utilisateur à un premier moment, dans lequel l'identifiant de fournisseur de ressource a été reçu par le dispositif de communication portable (102) depuis une station de base (104) qui est située à un emplacement de fournisseur de ressource identifié par l'identifiant de fournisseur de ressource ;
    la recherche électronique dans une base de données d'un identifiant de compte associé au dispositif de communication portable (102) à l'aide des informations de dispositif ;
    le hachage d'au moins l'identifiant de fournisseur de ressource et de l'identifiant de compte pour générer un motif cryptographique ;
    la transmission du motif cryptographique généré via le dispositif de communication portable (102), puis la station de base (104) à un dispositif d'accès (106) qui stocke le motif cryptographique ;
    la réception depuis le dispositif d'accès (106) impliqué dans une transaction menée avec un dispositif de transaction portable (108) à un deuxième moment qui est ultérieur au premier moment, d'un message de demande d'autorisation comprenant l'identifiant de compte reçu par le dispositif d'accès (106) depuis le dispositif de transaction portable (108) au deuxième moment, le message de demande d'autorisation étant généré en cas d'identification par le dispositif d'accès d'une correspondance entre le motif cryptographique généré et stocké et un motif cryptographique généré au deuxième moment par le dispositif d'accès hachant l'identifiant de fournisseur de ressource et l'identifiant de compte qui est reçu depuis le dispositif de transaction portable d'un utilisateur au deuxième moment, la correspondance dudit motif cryptographique généré au deuxième moment et dudit motif cryptographique stocké confirmant ainsi la présence du dispositif de communication portable au niveau du dispositif d'accès au deuxième moment ; et
    la détermination du message de demande d'autorisation sur la base du message de demande d'autorisation du fait que l'utilisateur du dispositif de communication portable (102) mène la transaction au niveau du dispositif d'accès (106) avec le dispositif de transaction portable (108) au deuxième moment.
  7. Ordinateur de serveur (110) selon la revendication 6, dans lequel le dispositif de transaction portable (108), le dispositif d'accès (106) et le dispositif de communication portable (102) se trouvent tous à l'emplacement de fournisseur de ressource.
  8. Ordinateur de serveur (110) selon la revendication 7, dans lequel le dispositif d'accès (106) génère le motif cryptographique généré au deuxième moment à partir d'un identifiant de fournisseur de ressource stocké et de l'identifiant de compte reçu depuis le dispositif de transaction portable (108) au deuxième moment, et dans lequel si le motif cryptographique stocké et le motif cryptographique généré au deuxième moment correspondent, des données de vérification sont incluses dans le message de demande d'autorisation, et dans lequel
    le support lisible par ordinateur comprend en outre un code exécutable par le processeur destiné à déterminer si le message de demande d'autorisation contient les données de vérification pour ainsi déterminer que cet utilisateur du dispositif portable (102) utilise également le dispositif de transaction portable (108) pour mener la transaction au niveau du dispositif d'accès (106) au deuxième moment.
  9. Ordinateur de serveur (110) selon l'une quelconque des revendications 6 à 8, dans lequel le support lisible par ordinateur comprend en outre un code exécutable par le processeur, pour
    recevoir les informations de dispositif, l'identifiant de fournisseur de ressource et une date depuis le dispositif de communication portable (102).
EP16765725.3A 2015-03-17 2016-03-17 Vérification de transaction de dispositifs multiples Active EP3271885B1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201562134177P 2015-03-17 2015-03-17
PCT/US2016/022792 WO2016149463A1 (fr) 2015-03-17 2016-03-17 Vérification de transaction de dispositifs multiples

Publications (3)

Publication Number Publication Date
EP3271885A1 EP3271885A1 (fr) 2018-01-24
EP3271885A4 EP3271885A4 (fr) 2018-02-21
EP3271885B1 true EP3271885B1 (fr) 2019-07-10

Family

ID=56919335

Family Applications (1)

Application Number Title Priority Date Filing Date
EP16765725.3A Active EP3271885B1 (fr) 2015-03-17 2016-03-17 Vérification de transaction de dispositifs multiples

Country Status (6)

Country Link
US (4) US10210521B2 (fr)
EP (1) EP3271885B1 (fr)
CN (1) CN107430731A (fr)
AU (1) AU2016233226A1 (fr)
RU (2) RU2711464C2 (fr)
WO (1) WO2016149463A1 (fr)

Families Citing this family (56)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11574299B2 (en) 2013-10-14 2023-02-07 Equifax Inc. Providing identification information during an interaction with an interactive computing environment
EP3058532A4 (fr) 2013-10-14 2017-04-12 Equifax, Inc. Fourniture d'informations d'identification à des applications de commerce mobile
CN104579668B (zh) * 2013-10-28 2018-12-11 深圳市腾讯计算机系统有限公司 一种用户身份的验证方法和密码保护装置及验证系统
WO2016149463A1 (fr) 2015-03-17 2016-09-22 Visa International Service Association Vérification de transaction de dispositifs multiples
US9984371B2 (en) * 2015-03-27 2018-05-29 Ca, Inc. Payment de-tokenization with risk evaluation for secure transactions
US11232448B2 (en) 2015-06-30 2022-01-25 Worldpay, Llc Configurable transaction management controller and method thereof
US11042872B2 (en) * 2015-12-18 2021-06-22 Worldpay, Llc Dynamically configurable transaction management controller and method thereof
US20170186003A1 (en) * 2015-12-28 2017-06-29 Ncr Corporation Secondary authentication of network transactions
EP3232399A1 (fr) 2016-04-12 2017-10-18 Visa Europe Limited Système permettant d'effectuer un contrôle de validité d'un dispositif utilisateur
US11720890B2 (en) * 2016-04-22 2023-08-08 Micro Focus Llc Authorization of use of cryptographic keys
US11587063B1 (en) * 2016-07-06 2023-02-21 United Services Automobile Association (Usaa) Automated proximity fraud account lock systems and methods
CN109496405B (zh) 2016-07-29 2022-05-17 维萨国际服务协会 利用密码技术的多装置认证方法和系统
US10854028B2 (en) * 2016-08-09 2020-12-01 Vivint, Inc. Authentication for keyless building entry
AU2017316312B2 (en) 2016-08-23 2022-01-20 Visa International Service Association Remote usage of locally stored biometric authentication data
US11080380B2 (en) * 2016-11-08 2021-08-03 Aware, Inc. Decentralized biometric identity authentication
SG10201610340WA (en) * 2016-12-09 2018-07-30 Mastercard International Inc Control of permissions for making transactions
US11315116B2 (en) * 2016-12-16 2022-04-26 Mastercard International Incorporated Systems and methods for use in authenticating consumers in connection with payment account transactions
US20180232725A1 (en) * 2017-02-14 2018-08-16 Its, Inc. Payment tokenization using separate token vault
AU2018253294B2 (en) * 2017-04-13 2022-09-15 Equifax Inc. Location-based detection of unauthorized use of interactive computing environment functions
US10412096B2 (en) * 2017-04-18 2019-09-10 Visa International Service Association Wireless authentication based on location data
WO2019006144A1 (fr) 2017-06-29 2019-01-03 Equifax, Inc. Prise en charge d'autorisation de tiers pour des fonctions d'un environnement informatique interactif
US10216917B2 (en) 2017-07-17 2019-02-26 International Business Machines Corporation Identity validation using local environment information
WO2019118682A1 (fr) 2017-12-14 2019-06-20 Equifax Inc. Interface de programmation d'application tierce intégrée pour empêcher la transmission de données sensibles
US10902425B2 (en) 2017-12-29 2021-01-26 Walmart Apollo, Llc System and method for biometric credit based on blockchain
US11368457B2 (en) 2018-02-20 2022-06-21 Visa International Service Association Dynamic learning system for intelligent authentication
US11687929B2 (en) * 2018-03-23 2023-06-27 American Express Travel Related Services Co., Inc. Authenticated secure online and offline transactions
JP7301869B2 (ja) 2018-03-27 2023-07-03 ビザ インターナショナル サービス アソシエーション アプライアンスへのトークンの承認およびプロビジョニングのためのシステムおよび方法
US20210279734A1 (en) * 2018-07-06 2021-09-09 Visa International Service Association Real time interaction processing system and method
US10748132B2 (en) * 2018-07-17 2020-08-18 Bank Of America Corporation Security tool
US11057377B2 (en) * 2018-08-26 2021-07-06 Ncr Corporation Transaction authentication
CN112740614B (zh) 2018-09-20 2024-06-07 维萨国际服务协会 用于刷新令牌数据的系统和方法
SG11202102201QA (en) 2018-09-20 2021-04-29 Visa Int Service Ass Digital ticket system and method
US11093732B2 (en) * 2018-09-25 2021-08-17 Advanced New Technologies Co., Ltd. Reduction of search space in biometric authentication systems
CN112823368B (zh) * 2018-10-11 2024-08-13 维萨国际服务协会 通过云生物特征标识和认证实现的令牌化非接触式交易
SG11202103704YA (en) * 2018-10-23 2021-05-28 Visa Int Service Ass Validation service for account verification
WO2020093076A2 (fr) * 2018-11-02 2020-05-07 Thandisizwe Ezwenilethu Pama Système de localisation de dispositif de transaction
WO2020142512A1 (fr) * 2019-01-02 2020-07-09 Visa International Service Association Ordinateur et conduit pour test de système
CN109886670B (zh) * 2019-02-01 2022-04-19 Oppo广东移动通信有限公司 支付方法、装置、系统、移动终端、支付机具及服务器
CN109872143B (zh) * 2019-02-01 2021-08-17 Oppo广东移动通信有限公司 支付信息绑定方法、装置、移动终端及系统
CN109712301A (zh) * 2019-02-01 2019-05-03 Oppo广东移动通信有限公司 支付方法、装置、系统、电子设备及存储介质
CN109919597B (zh) * 2019-02-01 2022-03-15 Oppo广东移动通信有限公司 支付信息处理方法、装置、移动终端及系统
KR20200100481A (ko) * 2019-02-18 2020-08-26 삼성전자주식회사 생체 정보를 인증하기 위한 전자 장치 및 그의 동작 방법
US11144617B2 (en) * 2019-02-26 2021-10-12 Visa International Service Association Data value routing system and method
US11283781B2 (en) 2019-04-09 2022-03-22 Visa International Service Association Proximity interaction system including secure encryption scheme
US11115436B2 (en) 2019-06-06 2021-09-07 Visa International Service Association Footprint data to prevent man-in-the-middle attacks
US11574365B2 (en) * 2019-06-17 2023-02-07 Optum, Inc. Token-based pre-approval systems and methods for payment request submissions
US11810105B2 (en) 2019-06-20 2023-11-07 Visa International Service Association System and method for authorizing and provisioning a token to an appliance
CN110996249A (zh) * 2019-11-12 2020-04-10 嘉联支付有限公司 终端交易区域范围控制方法和装置
US11271933B1 (en) * 2020-01-15 2022-03-08 Worldpay Limited Systems and methods for hosted authentication service
CN115315924A (zh) * 2020-03-05 2022-11-08 维萨国际服务协会 使用移动装置在访问控制服务器处进行用户认证
GB2595214A (en) * 2020-05-15 2021-11-24 Finlab 2000 Ltd A method and system for securing a transaction between a customer and a merchant
US11989739B2 (en) * 2020-06-19 2024-05-21 Apple Inc. System and method for identity verification
AU2020103160B4 (en) * 2020-07-21 2021-07-15 Asbestos Reports Australia Pty Limited Data integrity management in a computer network
US11551213B1 (en) * 2021-07-29 2023-01-10 Bank Of America Corporation Specialized transaction execution via assistive devices
US20230237464A1 (en) * 2022-01-20 2023-07-27 Mastercard International Incorporated System and Method for Providing Transaction Report Data Using A User Device
EP4411618A1 (fr) * 2023-02-06 2024-08-07 Mastercard International Incorporated Procédé de validation de transaction distribuée hors ligne

Family Cites Families (56)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6868391B1 (en) 1997-04-15 2005-03-15 Telefonaktiebolaget Lm Ericsson (Publ) Tele/datacommunications payment method and apparatus
JP2002117377A (ja) 2000-10-04 2002-04-19 Nec Corp 位置情報を用いた、個人認証システム、カードによる認証システム及び暗証番号によるドアロックシステム
US7565008B2 (en) * 2000-11-06 2009-07-21 Evryx Technologies, Inc. Data capture and identification system and process
US7680324B2 (en) * 2000-11-06 2010-03-16 Evryx Technologies, Inc. Use of image-derived information as search criteria for internet and other search engines
US8224078B2 (en) * 2000-11-06 2012-07-17 Nant Holdings Ip, Llc Image capture and identification system and process
JP2002269350A (ja) 2001-03-14 2002-09-20 Hitachi Ltd 取引決済方法、取引決済システム並びにそれに用いる携帯通信端末及び加盟店用決済端末
US20020147600A1 (en) * 2001-04-05 2002-10-10 Ncr Corporation System and method for implementing financial transactions using biometric keyed data
GB0113630D0 (en) 2001-06-05 2001-07-25 Koninkl Philips Electronics Nv Payment authorisation through beacons
US7752135B2 (en) 2002-01-16 2010-07-06 International Business Machines Corporation Credit authorization system and method
US7376431B2 (en) 2002-02-05 2008-05-20 Niedermeyer Brian J Location based fraud reduction system and method
US6948656B2 (en) 2003-12-23 2005-09-27 First Data Corporation System with GPS to manage risk of financial transactions
US7743981B2 (en) 2003-12-23 2010-06-29 First Data Corporation GPS database to manage risk for financial transactions
US7221949B2 (en) 2005-02-28 2007-05-22 Research In Motion Limited Method and system for enhanced security using location-based wireless authentication
RU2402814C2 (ru) * 2005-04-19 2010-10-27 Майкрософт Корпорейшн Сетевые коммерческие транзакции
US7503489B2 (en) 2005-04-26 2009-03-17 Bpriv, Llc Method and system for monitoring electronic purchases and cash-withdrawals
WO2007004224A1 (fr) 2005-07-05 2007-01-11 Mconfirm Ltd. Systeme d'authentification ameliore base sur la localisation
US8166068B2 (en) 2005-09-02 2012-04-24 Qwest Location based authorization of financial card transactions systems and methods
US7697942B2 (en) 2005-09-02 2010-04-13 Stevens Gilman R Location based rules architecture systems and methods
US7669759B1 (en) 2006-10-31 2010-03-02 United Services Automobile Association (Usaa) GPS validation for transactions
US8924295B2 (en) 2007-01-03 2014-12-30 At&T Intellectual Property I, L.P. User terminal location based credit card authorization servers, systems, methods and computer program products
US8679641B2 (en) 2007-01-05 2014-03-25 David M. Saxton Wear resistant lead free alloy bushing and method of making
US7594605B2 (en) 2007-01-10 2009-09-29 At&T Intellectual Property I, L.P. Credit card transaction servers, methods and computer program products employing wireless terminal location and registered purchasing locations
US9154952B2 (en) 2007-03-16 2015-10-06 Finsphere Corporation Systems and methods for authenticating a user of a computer application, network, or device using a wireless device
US9185123B2 (en) 2008-02-12 2015-11-10 Finsphere Corporation System and method for mobile identity protection for online user authentication
US8374634B2 (en) 2007-03-16 2013-02-12 Finsphere Corporation System and method for automated analysis comparing a wireless device location with another geographic location
US9432845B2 (en) 2007-03-16 2016-08-30 Visa International Service Association System and method for automated analysis comparing a wireless device location with another geographic location
US9456348B2 (en) 2007-03-16 2016-09-27 Visa International Service Association Systems and methods for authenticating a user of a computer application, network, or device using a wireless device
US8280348B2 (en) 2007-03-16 2012-10-02 Finsphere Corporation System and method for identity protection using mobile device signaling network derived location pattern recognition
US20150142623A1 (en) 2007-03-16 2015-05-21 Finsphere Corporation System and method for identity protection using mobile device signaling network derived location pattern recognition
US8116731B2 (en) 2007-11-01 2012-02-14 Finsphere, Inc. System and method for mobile identity protection of a user of multiple computer applications, networks or devices
US8839394B2 (en) 2007-03-16 2014-09-16 Finsphere Corporation Systems and methods for authenticating a user of a computer application, network, or device using a wireless device
US9922323B2 (en) 2007-03-16 2018-03-20 Visa International Service Association System and method for automated analysis comparing a wireless device location with another geographic location
US9420448B2 (en) 2007-03-16 2016-08-16 Visa International Service Association System and method for automated analysis comparing a wireless device location with another geographic location
US9070129B2 (en) * 2007-09-04 2015-06-30 Visa U.S.A. Inc. Method and system for securing data fields
US8401906B2 (en) 2007-12-12 2013-03-19 At&T Intellectual Property I, L.P. Financial transaction authentication servers, methods, and computer program products for facilitating financial transactions between buyers and sellers
US8060413B2 (en) * 2008-03-14 2011-11-15 Research In Motion Limited System and method for making electronic payments from a wireless mobile device
US8632002B2 (en) 2008-07-08 2014-01-21 International Business Machines Corporation Real-time security verification for banking cards
US8615465B2 (en) 2008-07-08 2013-12-24 International Business Machines Corporation Real-time security verification for banking cards
US9305230B2 (en) * 2008-07-14 2016-04-05 Jumio Inc. Internet payment system using credit card imaging
US7747535B2 (en) 2008-10-17 2010-06-29 At&T Mobility Ii Llc User terminal and wireless item-based credit card authorization servers, systems, methods and computer program products
US20110047075A1 (en) * 2009-08-19 2011-02-24 Mastercard International Incorporated Location controls on payment card transactions
US9681359B2 (en) 2010-03-23 2017-06-13 Amazon Technologies, Inc. Transaction completion based on geolocation arrival
US9489669B2 (en) * 2010-12-27 2016-11-08 The Western Union Company Secure contactless payment systems and methods
US10373160B2 (en) * 2011-02-10 2019-08-06 Paypal, Inc. Fraud alerting using mobile phone location
US8577820B2 (en) 2011-03-04 2013-11-05 Tokyo Electron Limited Accurate and fast neural network training for library-based critical dimension (CD) metrology
US9621350B2 (en) * 2011-06-30 2017-04-11 Cable Television Laboratories, Inc. Personal authentication
US8577810B1 (en) * 2011-09-29 2013-11-05 Intuit Inc. Secure mobile payment authorization
SG193041A1 (en) * 2012-02-21 2013-09-30 Global Blue Holdings Ab Transaction processing system and method
US20130268378A1 (en) * 2012-04-06 2013-10-10 Microsoft Corporation Transaction validation between a mobile communication device and a terminal using location data
US20130339247A1 (en) 2012-06-18 2013-12-19 Visa International Service Association Issuer identification and verification system
US20140310160A1 (en) * 2013-04-11 2014-10-16 Pawan Kumar Alert System with Multiple Transaction Indicators
WO2014196969A1 (fr) * 2013-06-05 2014-12-11 American Express Travel Related Services Company, Inc. Système et procédé d'authentification multifactorielle d'un utilisateur mobile
US10127542B2 (en) 2014-04-29 2018-11-13 Paypal, Inc. Payment code generation using a wireless beacon at a merchant location
US10028081B2 (en) 2014-07-10 2018-07-17 Bank Of America Corporation User authentication
WO2016149463A1 (fr) 2015-03-17 2016-09-22 Visa International Service Association Vérification de transaction de dispositifs multiples
US9721251B1 (en) * 2015-05-01 2017-08-01 Square, Inc. Intelligent capture in mixed fulfillment transactions

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None *

Also Published As

Publication number Publication date
CN107430731A (zh) 2017-12-01
WO2016149463A1 (fr) 2016-09-22
US11763311B2 (en) 2023-09-19
RU2017134358A3 (fr) 2019-06-24
US10515369B2 (en) 2019-12-24
US10210521B2 (en) 2019-02-19
RU2017134358A (ru) 2019-04-05
RU2711464C2 (ru) 2020-01-17
AU2016233226A1 (en) 2017-08-24
US20160277380A1 (en) 2016-09-22
RU2019142493A (ru) 2020-01-21
EP3271885A4 (fr) 2018-02-21
US20220122081A1 (en) 2022-04-21
US20200082408A1 (en) 2020-03-12
EP3271885A1 (fr) 2018-01-24
US11238457B2 (en) 2022-02-01
US20190114641A1 (en) 2019-04-18

Similar Documents

Publication Publication Date Title
US11763311B2 (en) Multi-device transaction verification
US11256789B2 (en) Recurring token transactions
EP3259877B1 (fr) Méthodes et dispositif d'authentification sécurisée d'utilisateur et dispositif mobile
CN113507377B (zh) 用于使用基于交易特定信息的令牌和密码的交易处理的装置和方法
EP3491776B1 (fr) Procédé et système d'authentification à dispositifs multiples utilisant des techniques cryptographiques
US12015964B2 (en) Method and system for location-based resource access
US20230062507A1 (en) User authentication at access control server using mobile device
US11564102B2 (en) Fraudulent wireless network detection with proximate network data
US20230066754A1 (en) Digital identity authentication system and method
US11574310B2 (en) Secure authentication system and method
US20230153800A1 (en) Token processing for access interactions
WO2024077127A1 (fr) Flux de messagerie pour interactions distantes à l'aide de données sécurisées
WO2024220432A1 (fr) Interaction à distance sécurisée à l'aide d'un dispositif de transaction portable
EP4409831A1 (fr) Interaction d'identité à distance
BR112018077461B1 (pt) Método, e, computador servidor

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20170809

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

A4 Supplementary search report drawn up and despatched

Effective date: 20180123

RIC1 Information provided on ipc code assigned before grant

Ipc: G06Q 20/32 20120101ALI20180117BHEP

Ipc: G06Q 20/40 20120101AFI20180117BHEP

Ipc: G06Q 20/38 20120101ALI20180117BHEP

Ipc: G06Q 20/36 20120101ALI20180117BHEP

Ipc: H04L 29/06 20060101ALI20180117BHEP

Ipc: H04W 12/06 20090101ALI20180117BHEP

Ipc: H04W 12/08 20090101ALI20180117BHEP

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Ref document number: 602016016763

Country of ref document: DE

Free format text: PREVIOUS MAIN CLASS: G06Q0020360000

Ipc: G06Q0020400000

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

RIC1 Information provided on ipc code assigned before grant

Ipc: G06Q 20/40 20120101AFI20181221BHEP

Ipc: G06Q 20/36 20120101ALI20181221BHEP

Ipc: G06Q 20/38 20120101ALI20181221BHEP

Ipc: H04L 29/06 20060101ALI20181221BHEP

Ipc: H04W 12/08 20090101ALI20181221BHEP

Ipc: H04W 12/06 20090101ALI20181221BHEP

Ipc: G06Q 20/32 20120101ALI20181221BHEP

INTG Intention to grant announced

Effective date: 20190129

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

Ref country code: AT

Ref legal event code: REF

Ref document number: 1154345

Country of ref document: AT

Kind code of ref document: T

Effective date: 20190715

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602016016763

Country of ref document: DE

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20190710

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1154345

Country of ref document: AT

Kind code of ref document: T

Effective date: 20190710

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191010

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191111

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191010

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191011

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191110

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200224

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602016016763

Country of ref document: DE

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG2D Information on lapse in contracting state deleted

Ref country code: IS

26N No opposition filed

Effective date: 20200603

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20200331

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200317

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200331

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200331

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200317

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200331

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200331

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20190710

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230511

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20240220

Year of fee payment: 9

Ref country code: GB

Payment date: 20240220

Year of fee payment: 9